Firefox updates (in this case Version 28) cause ciphers mismatch
Hi , I am using Solaris 10 above Tomcat 6 I installed the latest version of Firefox – version 28. In addition, I installed the ECC Cipher suite regarding to https://bugzilla.mozilla.org/show_bug.cgi?id=235773
I had a problem that causes a cipher mismatch whenever an update of Firefox is released and installed. This problem repeats itself and the solution was to remove the cipher that is not supported. Firefox update number 28 caused a mismatch. In order for the website to load and function properly I had to remove the TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher.
The following ciphers are in use:
TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
Currently, the site is not loaded via Firefox (Error_Code: ssl_error_internal_error_alert) however, it works perfectly under chrome and IE.
Only after TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA cipher removal, the site returns to function.
This scenario also happened on firefox build 26 (a month ago) and the solution was to remove TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher.
1. Does Firefox support SSL Certificates for the ECC algorithm? 2. Do I need to remove all ECC ciphers in order for the websites to work properly? 3. Is there a recommended ciphers suite that I could use so I won't encounter these problems?
Thanks. Liran
由 cor-el 於 修改
所有回覆 (3)
There have been more reports about this:
Possibly a consequence of this bug fix:
- bug 936828 - Change order of cipher suites offered in client hello to match modern best practices
Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Hi cor-el, thank you for the detailed solution.
I change the security.tls.version.max on about.config from "3" to "0" and it solves the problem but it seams the solution is not the recommended one.
You recommended to change SSL cipher priority on mozilla manually, or otherwise install the patch that will update the entire workstations.
Can you please provide some information on : 1.How to change manually the priority of the ciphers on about:config ? (I found the article http://kb.mozillazine.org/About:config but I did not find how to do the change).
2. I'm not familiar of the way I should install the patches. (change-cipher-order-v2.patch, fix-comment.patch). As I know, the scripts should run under linux machine, but what if the workstation run under windows, I should write powershell script ?
Thanks again.
You can't use the about:config page to change the order of cipher suits.
You can only enable and disable cipher suits by toggling the pref.
I don't know that much about in what order Firefox will try to connect to a server after analyzing the server response, so I'm afraid that I can't help you.
You can try to ask in the crypto newsgroup.